b'                        Office of the Inspector General\n                Corporation for National and Community Service\n\n\n\n\n                       Recommended Improvements to the\n                         Corporation\'s Internal Controls\n                      Fiscal Year 1999 - Management Letter\n\n                         OIG Audit Report Number 00-38\n                                March 3,2000\n\n\n\n\n                                           Prepared by:\n\n                                           KPMG LLP\n                                       2001 M Street, N.W.\n                                      Washington, D.C. 20036\n\n                        Under Corporation for National and Community Service\n                                       Contract # 98-743-3002\n                                            Task Order #7\n\n\n\n\nThis report was issued to Corporation management on June 27, 2000. Under the\nlaws and regulations governing audit follow up, the Corporation must make final\nmanagement decisions on the report\'s findings and recommendations no later than\nDecember 26, 2000, and complete its corrective actions by June 27, 2001.\nConsequently, the reported findings do not necessarily represent the final resolution\nof the issues presented.\n\x0c                                                                                                    CORPORATION\n\n                                     Office of the Inspector General                                FOR NATIONAL\n                                    Corporation for National Services\n\n\n                Recommended Improvements to the Corporation\'s Internal Controls\n                            Fiscal Year 1999 - Management Letter\n\n\nThe Office of the Inspector General, Corporation for National Service, engaged KPMG LLP to audit the\nCorporation\'s fiscal year 1999 financial statements. The audit, conducted in accordance with government\nauditing standards, included extensive audit procedures to overcome known material weaknesses and other\npervasive systems deficiencies. As a result, KPMG was able to issue an unqualified opinion on the\nCorporation\'s Statement of Financial Position at September 30, 1999; however, KPMG was unable to render\nan opinion on the Statements of Operations and Changes in Net Position, and the Statement of Cash Flows\nfor the fiscal year. OIG\'s Audit Report 00-01, Audit of the Corporation for National and Community\nSewice S Fiscal Year 1999 Financial Statements, describes the basis for the opinion as well as material\nweaknesses, other reportable internal control conditions, and compliance issues found as a result of the audit.\n\nDuring the engagement, the auditors also noted other matters involving the Corporation\'s internal controls\nthat were not considered material weaknesses or reportable conditions. This report discusses these\nconditions and includes recommendations for corrective action. OIG has reviewed the report and work\npapers supporting its conclusions and agrees with the findings and recommendations presented.\n\nWe provided a draft to the Corporation for review and comment. The Corporation\'s response, Appendix B,\ncites areas in which it has made improvements and areas where it disagrees with the auditor\'s findings and\nrecommendations. In order to address certain of the concerns expressed in the Corporation\'s response,\nKPMG eliminated one of the original comments and clarified the wording of two others.\n\n\n\n\n                                                                                                Inspector General\n                                                                                                1201 New York Avenue. NW\n                                                                                                Washington, DC 20525\n\x0c                             Office of the Inspector General\n                     Corporation for National and Community Service\n\n          Recommended Improvements to the Corporation\'s Internal Controls\n                     Fiscal Year 1999 - Management Letter\n\n\n                                                                           Page No.\nTransmittal Letter\n\nAppendix A - Recommended Improvements to the Corporation\'s Internal Controls\n\n   Grants Management                                                       1\n\n\n   A.l Timely reconciliations of the NCSA subsidiary data to the general\n       ledger are not performed. *\n   A.2 NCSA grant files are not complete. *\n   A.3 DVSA grant files are not complete. *\n   A.4 Administrative closeout procedures for NCSA grants are not\n        routinely performed.\n   A S Administrative closeout procedures for DVSA grants are not\n       routinely performed. *\n   A.6 Funding reconciliations for expired DVSA grants are not\n       consistently performed. *\n   A.7 Administration of the NCSA grants management system lacks\n       formal policies and procedures. *\n\n   National Service Trust\n\n   B.l Trust voucher processing lacks a tracking system and established\n       time frame for payment issuance. *\n   B.2 Certain full-time Members who completed service in excess of one\n       year earned education awards.\n\n\n\n\n"Represents comment repeated from prior year(s)\n\x0cContent of Annual Financial Reports\n\nC.l The content of Annual Financial Reports should be improved. *\n\nRevenue from Reimbursable Agreements\n\nD.l Cash receipts are not consistently deposited and recorded in a timely\n     manner.   *\n\nFund Balance with Treasury\n\nE. 1 Certain disbursements were reported incorrectly on the Statements of\n     Transactions.\nE.2 The Corporation did not record rescinded appropriations timely.\n\nInformation Technology\n\n     The Corporation should implement a comprehensive systems\n     development life cycle methodology.\n     The Corporation\'s application change control process needs\n     improvement. *\n     Logical access controls can be improved.\n     The Corporation\'s service continuity controls can be improved. *\n     The Corporation does not obtain sufficient information on controls\n     in place at the National Business Center service organization.\n\nProcurement and General Expenditures\n\n\nG.1 Documentation to support certain cash disbursements is insufficient. *\n\n\n\n\n*Represents comment repeated from prior year(s)\n\x0c  Human Resources\n\n\n  H. 1 Review of payroll-related data entry is not consistently performed by\n         Service Centers and State Offices. *\n  H.2 Approval of Federal payroll reconciliation is not secured by a\n         cryptography system. *\n  H.3 Approval of Request for Personnel Action (SF-52) forms is not\n         consistently documented. *\n   H.4 National Civilian Community Corps member application files are\n         incomplete.   *\n   H.5 VISTA member files are incomplete. *\n\n\n   Laws and Regulations\n\n   1.1   Reports on Budget Execution (SF-133s) are not always accurate or\n         submitted on a timely basis. *\n   1.2   Certain Apportionment and Reapportionment Schedules (SF-132s)\n         were not submitted timely. *\n\n   Property and Equipment\n\n   J.l   Procedures for performing physical inventories of property and\n         equipment were not implemented.\n\n\n\nAppendix B - Corporation Response\n\n\n\n\n"Represents comment repeated from prior year(s).\n\x0c                 2001 M Street, N.W.\n                 Washington, DC 20036\n\n\n\n\nInspector General\nCorporation for National and Community Service:\n\nWe have audited the fiscal year 1999 financial statements of the Corporation for National and\nCommunity Service, and have issued our report thereon, dated March 3, 2000. Our report expresses an\nunqualified opinion on the Corporation\'s Statement of Financial Position as of September 30, 1999 and a\ndisclaimer of opinion on the related Statements of Operations and Changes in Net Position and Cash\nFlows for the year then ended.\n\nIn planning and performing our audit, we considered the Corporation\'s internal control over financial\nreporting by obtaining an understanding of the internal controls. We determined whether these internal\ncontrols had been placed in operation, assessed control risk, and performed tests of controls in order to\ndetermine our auditing procedures for the purpose of expressing our opinion on the financial statements,\nnot to provide assurance on internal control over financial reporting. As a part of obtaining reasonable\nassurance about whether the Corporation\'s financial statements were free of material misstatement, we\nperformed tests of the Corporation\'s compliance with certain provisions of laws and regulations,\nnoncompliance with which could have a direct and material effect on the determination of financial\nstatement amounts, and certain other laws and regulations. Our report on internal control over financial\nreporting and on compliance with laws and regulations based on an audit of the financial statements,\nperformed in accordance with Government Auditing Standards, identified those matters we considered to\nbe reportable conditions.\n\nDuring our audit, we also noted certain matters involving internal control over financial reporting and\nother operational matters that are not considered reportable conditions. These comments and\nrecommendations are presented in Appendix A to this letter for the Corporation\'s consideration and are\nintended to improve internal control over financial reporting or result in other operating efficiencies. To\nthe extent prior year comments have continuing relevance, we have incorporated these comments into\nthose presented in Appendix A. Our audit procedures were designed primarily to enable us to form an\nopinion on the Corporation\'s financial statements, and therefore may not bring to light all weaknesses in\npolicies or procedures that exist. The Corporation\'s response to our comments and recommendations are\npresented in Appendix B. In order to address certain of the concerns expressed in the Corporation\'s\nresponse, we have eliminated one of the original comments and have clarified the wording of two others.\n\nThis report is intended solely for information and use of the United States Congress, the President, the\nDirector of the Office of Management and Budget, the Comptroller General of the United States and the\nCorporation for National and Community Service and its Inspector General, and is not intended to be and\nshould not be used by anyone other than these specified parties.\n\n\n\n\nMarch 3. 2000\n\n\n\n\n   1111            KPMG LLP KPMG LLP a U S lhmited a b t y partneishp is\n                   a member of K P M G lnternat~onal a Swss assocaton\n\x0c                                                                                 APPENDIX A\n\n                     Corporation for National and Community Service\n\n           Recommended Improvements to the Corporation\'s Internal Controls\n                       Fiscal Year 1999 - Management Letter\n\n\n\nGrants Management\n\nA.1    Timely Reconciliations of NCSA Subsidiary Data to the General Ledger Are Not\n       Performed\n\nThe Corporation uses the U.S. Department of Health and Human Services\' Payment\nManagement System (PMS) to administer its NCSA grants and other cooperative agreements.\nThe Corporation did not perform a reconciliation of PMS to the Momentum general ledger for\nthe period of time it was in use during fiscal year 1999. The reconciliation process is necessary\nto verify that all information has been accurately recorded in the general ledger. In addition, we\nfound that the monthly reviews performed for drawdowns recorded in Federal Success (prior to\nthe implementation of Momentum) were neither dated nor signed by the preparer. Staff turnover,\nthe length of time required to perform the reconciliation process (approximately one to two\nweeks), and attention to other priorities have caused this situation.\n\nWe recommend the Corporation consider establishing an automated method of reconciliation\nbetween PMS and the new general ledger system. We also recommend that the Corporation\nrequire the reconciliation to be completed within 15 days of month-end, and be signed and dated\nby the individuals preparing and reviewing the reconciliation.\n\nA.2    NCSA Grant Files Are Not Complete\n\nOf the 46 NCSA grant files tested for documentation of compliance with established file\nmaintenance internal controls, we noted the following:\n\n       Two amounts awarded did not agree to the Synchronization Report;\n       One grant application was not signed by the State Commission Executive Director to\n       indicate approval prior to forwarding to the Corporation;\n       Evidence of obligation date for two awards was not maintained in the file;\n       One grant award was incorrectly coded in the Momentum system; and\n       One grant file omitted the grantee employer identification number.\n\nWe recommend the Corporation strengthen its controls over the completeness of NCSA grant\nfiles by enforcing the use of file completeness checklists. Compliance with these procedures\nshould be monitored by supervisory spot checks of grant files.\n\x0c                                                                     APPENDIX A, continued\n\nA. 3   D VSA Grant Files Are Not Complete\nOf the 83 DVSA grant files tested for documentation of compliance with established file\nmaintenance internal controls, we noted the following:\n\n       Completed applications were missing from two grant files;\n       Checklists to document completeness of the files, were missing from six files.\n       Completion of the checklist has been required since February 1998;\n       Thirty-nine Notices of Grants Award were not issued 33 days prior to the beginning of\n       the grant period, even though the Corporation has an informal policy that requires\n       adherence to this issuance time frame;\n       One request for advance and reimbursement was entered in to the system and approved\n       by the same person; and\n       Twelve grantee Financial Status Reports were not submitted, as required, within thirty\n       days of the end of each program quarterly period.\n\nWe recommend that the Corporation strengthen its controls over the completeness of DVSA\ngrant files by enforcing the use of file completeness checklists. The Corporation should also\nrequire the checklists be initialed and dated by the preparer to establish accountability.\nCompliance with these procedures should be monitored by supervisory spot checks of grant files.\n\nA.4    Administrative Closeout Procedures for NCSA Grants Are Not Routinely Performed\n\nThe Corporation does not routinely follow its established procedures for closing out NCSA\ngrants. Without completing closeout procedures, the Corporation could fail to identify excess\namounts advanced to grantees that should be returned to the Corporation. Eleven of twelve\nexpired NCSA grants selected for testing were not subject to proper administrative closeout.\n\nWe recommend the Corporation enforce, and revise as necessary, written policies and procedures\nwith respect to administrative closeout of NCSA grants. Closeout procedures should include\nsteps to be taken by the Corporation to ensure that grantees are in compliance with OMB\nCircular A-102, Grants and Cooperative Agreements With State and Local Governments and\nCircular A- 110, Uniform Administrative Requirements for Grants and Other Agreements with\nInstitutions of Higher Education, Hospitals, and Other Non-Projt Organizations. Review and\nfollow-up procedures should be implemented to ensure that grants are closed in a timely manner.\n\nA. 5   Administrative Closeout Procedures for D VSA Grants Are Not Performed Routinely\n\nThe Corporation\'s procedures for administratively closing DVSA grants are not routinely\napplied, and controls are not in place to ensure all expired grants are closed in a timely manner.\nOur tests of 46 DVSA grants that expired during fiscal year 1999 revealed the following\nexceptions:\n\n       One grant number was incorrectly recorded in the financial system;\n       Three grants were not closed out within 180 days;\n\x0c                                                                     APPENDIX A, continued\n\n\n       One grant that was closed out had an inaccurate amount deobligated;\n       Eighteen close out reconciliations were not signed within 180 days;\n       Five requests for information regarding grantee completion of programmatic\n       requirements were not sent to the grantees; and\n       Eight grantees did not reply to the Service Center requests for information regarding\n       grantee completion of programmatic requirements.\n\nWe recommend that the Corporation develop a consistent method for identifying expired grants\nand for administratively closing these grants in a timely manner. Review and follow-up\nprocedures by the Service Centers and headquarters should be implemented to ensure Program\nOffices respond to correspondence and that grants are closed timely.\n\nA.6    Funding Reconciliations for Expired DVSA Grants Are Not Consistently Performed\nThe Corporation\'s policy states that a funding reconciliation should be performed and\ndocumented for all DVSA expired grants to determine whether (1) funds are available for carry\nover into the next funding period, or (2) excess amounts have been advanced that need to be\ncollected from those grantees that do not have continuing grants. Six of the 46 grant files\nreviewed did not include documentation indicating that the grant officer had completed a\nreconciliation of grant payments to grant expenses. Because reconciliations are not completed,\ngrant officers are unable to properly manage the disbursement of funds and determine whether\nthe disbursed funds are being used properly to pay for current expenses. Additionally, the\nCorporation can not establish accounts receivable and initiate collection efforts from grantees\nwhen necessary.\n\nWe recommend the Service Centers enforce their procedures to complete and document a\nfunding reconciliation for all expiring grants. In addition, Service Centers should implement\nprocedures requiring a documented review, on a sample basis, by a separate Service Center\nemployee to ensure that the reconciliations are being performed accurately and timely. Finally,\nthe Corporation should transfer excess grant advance balances to accounts receivable and request\na prompt refund of these amounts from grantees.\n\nA.7    Administration of the NCSA Grants Management System L a c h Formal Policies and\n       Procedures\n\nThe Corporation has no formal policies and procedures in place for administering the Grants\nManagement System. Database administration duties currently include, but are not limited to,\nadministering and changing passwords and database maintenance.\n\nWithout formal policies for database administration, the system administrator can continue to\ndistribute and maintain unlimited individual and shared passwords, which increases the risk of\nunauthorized access to the Grants Management System. The risk of incorrect and undetected\nchanges being made to the Grants Management System configuration is also increased, which\nincreases the likelihood of data entry errors or lost data. Finally, system reconfigurations that\n\x0c                                                                  APPENDIX A, continued\n\nmay temporarily disable the Grants Management System could occur during critical data entry\nhours and lead to loss of productivity.\n\nWe recommend that the Corporation implement formal policies and procedures for current\ndatabase administration and for administration of the proposed Momentum grants module before\nit is implemented. These policies and procedures should address the following minimum\nrequirements:\n\n   Segregation of duties between database administration and password administration - a\n   password administrator should administer passwords in accordance with Federal Information\n   Processing Standards Publication 112 section 3. The use of shared passwords should be\n   discontinued.\n\n   Changes to the Grants Management System should only be made on the basis of authorized\n   change request forms.\n\n   Reconfiguration of the Grants Management System should occur only while the system is not\n   in use for data entry.\n\x0c                                                                     APPENDIX A, continued\n\n\n\nNational Service Trust\n\nB.1    Trust Voucher Processing Lacks Tracking System and Established Time Frame for\n       Payment Issuance\n\nWe selected 78 Trust Fund payments for internal control and substantive test work. We found\nthat 14 of the payments tested were not made within 15 days of the requested dates and that\ntimeliness could not be determined for 5 payments based on the information provided to us.\nAlthough the Corporation has established a goal for processing Trust payment vouchers within\nthree weeks of receiving a properly completed voucher, no formal guidelines exist to identify at\nwhat point a "properly completed voucher7\' has been received so that the timeliness of actual\npayment can be measured. Further, because the Corporation does not track vouchers received\nand their current status, we were unable to determine the reason for the possible untimely\npayments.\n\nWe recommend that the Corporation institute a system to track vouchers it receives to assist the\nCorporation in identifying the current status of vouchers (e.g., returned to grantee for further\ninformation, date revised voucher was received, approved and forwarded for payment\nprocessing., etc.) and when they should be paid.\n\nB.2    Certain Full-time Members Who Completed Service in Excess of One Year Earned\n       Education Awards\n\nOur tests of the SPAN database included a computer assisted audit technique for a comparison of\nthe enrollment date to the completion date for all Members who earned full-time service awards\nsince inception. As a result of these procedures, we determined that the Corporation had\nprovided 4,865 full-time education awards to Members who did not complete the service\nrequirement in less than one year, as required by law. Completing full-time service in excess of\none year is allowable in certain cases (e.g., VISTA Members and Members who properly\nsuspended service (e.g., for a family illness) for a period of time). However, the SPAN data\nprovided to us for audit did not identify the reasons for the extended periods of service, and\nindicates that the Corporation may not be granting education awards in compliance with law.\n\nThe new Web-based Reporting System (WBRS) used for reporting Members\' enrollment and\nend-of-term has controls in place to prevent Members from earning an award outside of the\npermitted timeframe. We recommend that the Corporation continue to examine the effectiveness\nof current controls within WBRS and to assess the need for additional controls. In addition, the\nCorporation should research the 4,865 awards we identified to determine which of the awards\nwere made in compliance with law, and take appropriate action to resolve those awards not made\nin compliance with law.\n\x0c                                                                         APPENDIX A, continued\n\n\n\nContent of Annual Financial Reports\n\nC.I      The Content of Annual Financial Reports Should Be Improved\n\nThe preparation of the 1999 annual financial statements was a very cumbersome process due to\nthe inherent limitations of the Corporation\'s legacy financial system and the conversion to a new\nfinancial accounting system late in the fiscal year. The Corporation\'s financial management and\nreporting process was cited as a material weakness in our report on internal control over financial\nreporting.\n\nAs the Corporation becomes familiar with its new financial accounting system and looks forward\nto the preparation of its FY2000 Annual Reports to Congress, we recommend the following\nspecific improvements in its financial reporting process and in the content of the respective\nfinancial reports be made:\n\n      Develop a cost accounting module that can be integrated with the new general ledger system\n      to accumulate direct and indirect costs related to each major program. The cost accounting\n      module should include a means to aggregate and allocate administrative and other overhead\n      costs (such as office rent and data processing) among the programs. A separate cost category\n      for general and administrative costs should also be maintained for costs that are otherwise not\n      allocable to specific programs.\n\n      Reformat the Corporation\'s financial statements to report the operations of the Trust and Gift\n      Funds separately, either on the face of, or in a note to, the financial statements. Combine the\n      Trust Fund\'s financial statement disclosures, other NCSA-required reporting and other\n      relevant statistics into a format that will facilitate understanding and analysis of the Trust\n      Fund\'s operations by Congress and other financial statement users.\n\n      Aggregate expenses by major program on the face of the statement of operations and changes\n      in net position. Present a supplemental schedule of program costs that would separately\n      report grant expenses and other costs by object class for each major program.\n\n      Assess the benefits of reporting under Federal Accounting Standards Advisory Board\n      (FASAB) accounting standards. The American Institute of Certified Public Accountants\n      recognized the FASAB as the authoritative standard setting body for federal entities in\n      October 1999. Federal entities, like the Corporation, which had been reporting under\n      Financial Accounting Standards Board (FASB) accounting standards prior to FASAB\n      recognition have been permitted to continue to report under the FASB standards until the\n      FASAB issues an official ruling on this matter. However, since the Corporation receives a\n      significant portion of its funding from annual appropriations from Congress, reporting under\n      the requirements of OMB Bulletin No. 97-01, Form and Content of Agency Financial\n      Statements, may be a preferable and more meaningful reporting method.\n\x0c                                                                     APPENDIX A, continued\n\n\nRevenue from Reimbursable Agreements\n\nD. I   Cash Receipts Are Not Consistently Deposited and Recorded in a Timely Manner\n\nThe Corporation lacks adequate controls over the timely deposit of cash receipts, thus increasing\nthe risk of misappropriation of these receipts. For fiscal year 1999, 9 of the 45 cash receipt\ntransactions tested were either not posted to the general ledger or not deposited in a timely\n(within 5 business days) manner. We noted time lags at three Service Centers and at the\nCorporation\'s headquarters.\n\nWe recommend that the Corporation enforce existing procedures requiring the timely deposit and\nposting of cash receipts. We also recommend that the Corporation continue to implement\nprocedures requiring that management review cash receipts general ledger transaction records to\nensure that cash receipts are being posted timely and accurately.\n\x0c                                                                   APPENDIX A, continued\n\n\n\nFund Balance with Treasury\n\nE. 1   Certain Disbursements Were Reported Incorrectly on the Statements of Transactions\n\nThe August and September 1999 SF-224, Statements of Transactions (SF-224), included\nincorrect disbursement information for the 1997, 1998 and 1999 DVSA appropriations. In\nAugust, the Corporation incorrectly reported 1997 DVSA disbursements as 1999 DVSA\ndisbursements; the Corporation attempted to, but did not, correct this error in the September\n1999 SF-224. Additionally, on the September 1999 SF-224, the Corporation incorrectly reported\n1999 DVSA disbursements as 1998 DVSA disbursements.\n\nThe August error overstated disbursements for 1999 DVSA appropriation and understated\ndisbursements for 1997 DVSA appropriation. The September error overstated disbursements for\n1998 and understated disbursements for the 1999 DVSA appropriations. However, the net effect\non total Fund Balance with Treasury was zero.\n\nWe recommend that the Corporation implement additional supervisory review controls to ensure\nthat transactions are correctly reported on the SF-224s.\n\nE.2    The Corporation Did Not Record Rescinded Appropriations Timely\n\nThe Corporation did not record fiscal year 1999 rescinded appropriations of $144,000 related to\nthe Corporation\'s Program Administration activity in the general ledger until March 3, 2000. As\na result, fund balance with Treasury was overstated by that amount as of September 30, 1999. In\naddition, untimely recording of rescissions could result in over-obligating and overspending of\nappropriations, although it did not in this case. We recommend that the Corporation enhance\ncontrol procedures over the timely recording of appropriation-related activity in the general\nledger.\n\x0c                                                                          APPENDIX A, continued\n\n\nInformation Technology\n\nF. I      The Corporation Should Implement a Comprehensive Systems Development Life Cycle\n          Methodology\n\nAs of the date of our report, the Corporation did not have a documented, comprehensive systems\ndevelopment life cycle (SDLC) methodology. If formal methodologies are not utilized, new\nsystems may be developed inappropriately, which may result in technology that does not meet\nthe needs of the organization. Further, the system may be developed at significant cost and\ndelay.\n\nIn April 2000, the Corporation adopted a formal SDLC methodology; however, we did not\nevaluate it as a part of our 1999 audit procedures. We recommend that the Corporation begin to\nimplement the new SDLC methodology, but remain open to suggestions for changes based on a\nformal review of the methodology to be performed in conjunction with the fiscal year 2000 audit.\n\nF.2       The Corporation\'s Application Change Control Process Needs Improvement\n\nThe Corporation\'s application change control process is not documented. In addition, the current\ninformal process does not include cost analysis, test plans, formal acceptance of change, and\nminutes from Change Control Board (CCB) meetings. As a result, costly, unauthorized andlor\npotentially inaccurate computer program changes could be entered into the production\nenvironment.\n\nRelated to the change control process, we recommend that the Corporation perform the\nfollowing:\n\n       Document the current change control process\n       Prepare a formal test plan procedure\n       Complete a formal acceptance of the changes\n       Include minutes from the CCB meetings\n       Prepare a cost benefit analysis for changes of significant value\n\nF. 3       Logical Access Controls Can Be Improved\n\nLogical access controls exhibit the following weaknesses:\n\n       The security mechanism protecting the dial-in access to the Corporation\'s internal network is\n       inadequate because only user IDS and passwords are used for security.\n       According to the Office of Information Technology (OIT) policy, the NT Administrative\n       password is required to be changed monthly; however, a report of the passwords indicated\n       that the NT Administrative password had not been changed for 295 days.\n       Access to the Momentum system is not blocked after a series of failed logon attempts, no\n\x0c                                                                           APPENDIX A, continued\n\n\n      limitation on the reuse of passwords exists, and terminals are not logged off after a period of\n      inactivity.\n      Network terminals are not logged off after a period of inactivity.\n\nTo strengthen logical access security, we recommend that the Corporation:\n\n      Implement another form of security for dial-in access, such as token authentication or dial back\n      verification.\n      Develop and implement procedures that ensure (a) the NT Administrative password is changed\n      on a regular basis, (b) access to Momentum is blocked after a series of failed logon attempts, (c)\n      limitations on the reuse of passwords are established, and (d) terminals are logged off after a\n      period of inactivity or the use of password-protected screen savers is required.\n\nF.4       The Corporation\'s Service Continuity Controls Can Be Improved\n\nContingency plans and disaster recovery plans are intended to outline steps to be taken during\nemergency situations. If these plans are inadequately tested or incomplete, employees cannot\nappropriately assess emergencies and cannot rely on established procedures to report and remedy\ncritical problems. The current contingency plan only addresses disaster scenarios related to Year\n2000 issues and does not cover business impact in the event of a disaster. In addition, testing of\nthe disaster recovery plan only focused on computer testing and did not address all aspects of a\npotential disaster, making the identification of plan improvement areas difficult.\n\nThe Corporation\'s current security plan is missing incident response information, identification\nof data owners for mission critical systems, and designation of responsible management for\nmission critical systems. Additionally, it does not address all financial and mission critical\napplications.\n\nWe recommended that the Corporation revise the contingency plan and remove all references to\nYear 2000. During this revision process, the Corporation should:\n\n      Perform a Business Impact Analysis (BIA) to establish business fbnction priorities\n      Update Contingency Guidelines to reflect the results of the BIA\n      Develop and document roles and responsibilities for critical employees that reflect all disaster\n      scenarios, not only Year 2000-related events\n      Develop scenarios and procedures for different types of disasters\n      Add critical employee and vendor phone numbers to the document\n\nWe also recommended that the Corporation prepare a security plan for all financial and mission\ncritical applications and include the following areas in the current security plan before it is\nfinalized:\n\n0     Incident response information\n      Data owner for mission critical systems\n\x0c                                                                       APPENDIX A, continued\n\n\n      Designation of responsible management for mission critical systems\n\nFinally, we recommend that the Corporation conduct a full disaster recovery test on an annual\nbasis. The test should involve all members of the Disaster Recovery Team.\n\nF.5      The Corporation Does Not Obtain SufJicient Information on Controls in Place at the\n         National Business Center Service Organization\n\nUnder Statement on Auditing Standards (SAS) No. 70, Audits of Service Organizations,\nindependent auditors provide an opinion on the assertions by a service organization\'s\nmanagement about its internal control objectives and the effectiveness of the design and\noperation of the controls in place during a specified period of time. This report can be used by\nclients of the service organization and their auditors to assess control risk. Since the National\nBusiness Center (NBC) recently began to support clienthewer applications, such as Momentum,\na SAS 70 report has not yet been completed for this business function. However, the interagency\nagreement between NBC and the Corporation does not include a provision that requires a\ncontrols audit report from the service organization. In addition, the agreement between the\nCorporation and NBC lacks detail in the area of backup and disaster recovery.\n\nWe recommend that the Corporation amend the terms of its agreement with NBC to request a\nclientlserver SAS 70 report be completed at NBC. The Corporation should also request that the\ninteragency agreement be revised to include more detail regarding NBC services, specifically in the\narea of disaster recovery and backup procedures.\n\x0c                                                                      APPENDIX A, continued\n\n\nProcurement and General Expenditures\n\nG.l    Documentation to Support Certain Cash Disbursements is Insuficient\n\nAs a part of our audit procedures, we visited each of the Corporation\'s service centers to review\ncontrols in place over cash receipts and disbursements. We requested service center personnel to\nprovide us with supporting documentation for selected cash disbursements and other financial\ntransactions. The Southern Service Center was unable to provide sufficient documentation to\nfully support any of the 14 cash disbursements items requested. As a result, we could not\ndetermine whether proper authorization procedures for purchases and travel were in place, or\nwhether a proper review for funds availability was conducted for certain of these items. This is a\nsimilar condition to that noted during our visit to the Southern Service Center during the prior\nyear audit.\n\nWe recommend that Corporation management pay particular attention to the compliance of\nSouthern Service Center personnel to internal control policies that require documentation be\nmaintained in support of all financial transactions. Adherence to established internal control\npolicies and procedures should be enforced and appropriate action taken to correct any noted\nnoncompliance.\n\x0c                                                                      APPENDIX A, continued\n\n\n\nHuman Resources\n\nH. 1   Review of Payroll-Related Data Entry Is Not Consistently Performed by Service Centers\n       and State Offices\n\nDuring the Federal payroll reconciliation process, a Personnel Specialist at headquarters reviews\nevery headquarters time sheet to verify the accuracy of hours input in the system. For the Service\nCenter data, which includes the hours from the State Offices, the Personnel Specialist depends on\ntechnicians at the Service Centers to verify the accuracy of the hours input. However, an\nindependent review of the hours input versus the hours recorded on the timesheets is not\nroutinely performed by Service Center personnel. An undetected discrepancy in hours could\nresult in over or underpayment to an employee or incorrect use of leave.\n\nA similar situation exists at the State Offices with respect to the process to review the accuracy\nof data entered into the VISTA Management System (VMS). Incorrect data entry into VMS\ncould cause a VISTA member to be paid incorrectly, receive incorrect benefits, or not receive a\npaycheck due to an incorrect mailing address.\n\nWe recommend that the Corporation specifically assign staff at each service center to review the\naccuracy of hours entered into the system. We also recommend that the Corporation implement\na review process for the data entered into VMS.\n\nH.2    Approval of Federal Payroll Reconciliation Is Not Secured by Cryptography System\n\nDuring the Federal payroll reconciliation process, both the Personnel Management Specialist\n(preparer) and the Labor and Employee Relations Team Leader (reviewer) sign the reconciliation\nby means of scanned-in signatures. However, the signatures are not secured by a cryptographic\nsystem; as a result, they could be accessed and used by employees other than those noted above.\n\nThe Corporation began using scanned in signatures in an attempt to streamline the approval\nprocess for the payroll reconciliation and to limit the amount of paper needed to process its\npayroll. However, the electronic signatures exist as plain text files on a Personal Computer\nconnected to the Corporation\'s Local Area Network, and could be accessed and put to improper\nuse by anyone with a technical background and computer knowledge. Although the users of\nthese signatures maintain items on a diskette, the e-mail exchanged can be accessed.\n\nWe recommend the implementation of true electronic signatures to prevent unauthorized use of\nsuch signatures. As part of a public key cryptography system, only the person to whom a\nsignature belongs can use it. Improper use is detected by means of cryptographic algorithm.\n\x0c                                                                     APPENDIX A, continued\n\n\n\nH.3    Approval of Request for Personnel Action Forms Is Not Consistently Documented\n\nTo provide independent assurance that a personnel action requested by a Department Head is\nnecessary and can be funded, the Employment, Compensation, and Training Team Leader\nreviews and approves all Requests for Personnel Action (SF-52s). The SF-52 must be approved\nbefore initiating the Notzfications of Personnel Action (SF-50s). The SF-50 is used to change\npersonnel information in the system. However, our test work indicated that the approval of 28 of\n78 SF-52s prior to initiation of SF-50s was not documented.\n\nInadequate review of the SF-52 can result in undetected abuse of the personnel system, such as\nDepartment Heads by-passing the Team Leader for Employment, Compensation, and Training,\nand taking an SF-52 directly to the Office of Human Resources to initiate an SF-50.\n\nWe recommend that the Corporation enforce its SF-50 initiation policy and the importance of not\ninitiating an SF-50 without proper approval of the SF-52.\n\nH.4    National Civilian Community Corps (NCCC) Member Application Files Are Incomplete\n\nNCCC policy requires a complete application that includes Member signature, reference check,\nbackground investigation, and service agreement for all NCCC Members. Our review of 78\nselected NCCC Member application files revealed 20 applications without Member signatures,\ntwo files without background checks, and one Member with an unacceptable background check,\naccording to Corporation guidelines, who was still accepted into the program.\n\nMember signature, reference check and background investigation are necessary to verify\nimportant information about Member qualifications. Without these elements, the Corporation\nmay recruit Members who can not promote Corporation ethics or who may not be eligible for the\nprogram.\n\nWe recommend that the Corporation enforce its NCCC application policies and require that all\nNCCC campuses use a standard checklist to identify and correct incomplete application files. All\nNCCC campuses should be required to periodically certify to the Corporation that all files have\nbeen reviewed and are complete. Justifications for accepting Members with background checks\nthat fail the established guidelines should be adequately documented and approved by NCCC top\nmanagement.\n\nH. 5    VISTA Member Files Are Incomplete\n\nThe Corporation pays ArneriCorps*VISTA Members based on receipt of sponsor verification\nrosters that detail any changes in the membership at their sites. Of the 78 active VISTA Member\nfiles examined during the fiscal 1999 audit, 10 files did not contain sponsor verification rosters\nfor the pay periods selected for review. Without the returned roster, no evidence exists to\nsupport that the VISTA Member was active during the pay period. Therefore, the Corporation\ncould have erroneously paid the Member.\n\x0c                                                                      APPENDIX A, continued\n\n\nAdditionally, we noted that 5 Members received payments that were less than the subsistence\namount to which they were entitled (ranging from $6 to $86) and one Member was overpaid by\n$92. Further, 10 Member files had stipend/education award election forms that differed from\nthe classification entered into the VMS (and did not contain evidence of a proper change in\nelection). Incorrect data entry to VMS could cause a VISTA Member to be paid incorrectly or\nreceive incorrect benefits.\n\nAccording to Corporation policy, VISTA Member applications must be completed, approved and\nmaintained at State Offices. The VISTA Member should be approved by the Corporation as\nrepresented by a State Office or Regional Program Director signature on either the application or\nthe Sponsor Evaluation Form (as appropriate). Members should also fill out life insurance forms\nelecting or waiving life insurance coverage.\n\nHowever, the VISTA Member files we reviewed did not appear to be closely reviewed for\ncompleteness. Of the 78 files reviewed, 59 contained at least one of the following types of\nerrors: incomplete life insurance election or waiver forms, missing future plans forms (when\napplicable), omitted supervisor signatures on stipend/education forms; and omitted approval\nsignatures on the sponsor evaluation forms. These errors could have an effect on further\nprocessing of VISTA Members to projects, or on their pay or benefit entitlements.\n\nWe recommend that:\n\n   The Corporation enforce its policy requiring that sponsor verification rosters be received each\n   pay period prior to paying VISTA Members. In addition, State Offices should be required to\n   follow up with project sponsors if verification rosters are not submitted to ensure the\n   accuracy of the member allowances.\n   The Corporation implement a review process for the data entered into VMS.\n   All State Offices use a standard checklist to provide reasonable assurance that all required\n   documents and approvals related to VISTA Members are on file. State Offices should be\n   required to periodically certify to the Corporation that the files have been reviewed and are\n   complete.\n\x0c                                                                     APPENDIX A, continued\n\n\n\nLaws and Regulations\n\nI.1      Reports on Budget Execution Are Not Always Accurate or Submitted Timely\n\nBecause of complications experienced during the fiscal year 1999 financial accounting system\nconversion process, the Corporation was unable to submit its "4th Quarter" Reports on Budget\nExecution (SF-133). Instead, it submitted its "revised" September 30, 1999, SF-133s on January\n29, 2000. Although these reports were based on information recorded in Momentum, they were\nprepared manually. During our review of a sample of fiscal year 1999 SF-133 reports, we\nidentified several deficiencies and errors in the reporting process. Certain amounts reported on\nthe SF-133s did not agree to the documentation used to support the reports, and the Corporation\nused incorrect lines on the SF-133 to report certain account balances.\n\nThe Corporation has not implemented effective controls to ensure that the SF-133s are prepared\nin accordance with OMB standards. Although the Corporation has developed review procedures,\nthe Corporation has been unable to detect incorrect amounts that are entered on the SF-133s. As\na result of incorrectly preparing SF-133s, the Corporation is in violation of OMB Circular A-34,\nInstructions on Budget Execution.\n\nWe recommend that the Corporation establish more comprehensive controls over the SF-133\nreporting process, including, but not limited to, the following:\n\n      Development and maintenance of an "audit trail" that documents how the amounts reported\n      on the SF-133 were obtained.\n      Review and approval of the audit trail documentation by a designated supervisor held\n      accountable for accurate SF-133 reporting.\n\n1.2      Certain Apportionment and Reapportionment Schedules Were Not Submitted Timely\n\nAlthough the Corporation submitted the majority of its fiscal year 1999 Apportionment and\nReapportionment Schedules (SF-132s) reports on a timely basis, the Corporation did not submit\nan SF- 132 to report the fiscal year 1999 rescission of $144,000. In addition, the SF-132 report\nused to account for the $800,000 fiscal year 1999 non-expenditure transfer from the Year 2000\nContingent Emergency Fund was not submitted until three months subsequent to the actual\ntransfer. Similar timeliness problems existed in fiscal years 1997 and 1998. As a result of\nsubmitting SF-132s late, the Corporation is in violation of OMB Circular A-34 and can be\ncharged with fines and penalties (or experience other repercussions).\n\nWe recommend that a designated supervisor be held accountable for the timely submission of\nSF-132s.\n\x0c                                                                     APPENDIX A, continued\n\n\n\nProperty and Equipment\n\nJI     Procedures for Performing Physical Inventories of Property and Equipment Were Not\n       Implemented\n\nThe Corporation developed a policy late in fiscal year 1999 to perform a Corporation-wide\nphysical inventory of its property and equipment. Although an inventory of headquarters\nproperty was taken during fiscal year 1999, a complete Corporation-wide inventory had not been\nperformed as of September 30, 1999. This control weakness can result in the misappropriation\nof Corporation assets and the inaccurate reporting of assets and related depreciation expense in\nthe financial statements.\n\nWe recommend that the Corporation follow through on its plan to perform physical inventories\nof all Corporation property and equipment, including those items at the Service Centers and other\nlocations, at least on a biannual basis.\n\x0c                                                                            Appendix B\ndevelop a production control log was also included in the fiscal 1998 management letter. issued\nin May 1999. Our response to that report stated\n\n        The Corporation does not need a separate production control log with\n        Momentum in place. With the implementation of Momentum a\n        production schedule has been established and a log is maintained by the\n        operations group at the Department of the Interior/National Business\n        Center\n\nThe Corporation considers this recommendation closed. Another recommendation suggested\nthat the Corporation amend the terms of the agreement with NBC to request a clientlserver SAS\n70 report. The Corporation has requested that NBC provide it with a SAS 70 report by\nDecember 3 1, 2000. The report is also to include a disaster recovery plan and backup procedures\nrelated to NBC operations.\n\nProperty and Equipment\n\nAs we reported in the response to the Notice of Finding and Recommendation, the Corporation\ndid conduct a property inventory in FY 1999. In addition, we have put policies and procedures in\nplace that require an annual inventory of property and equipment. The policy was signed August\n5, 1999. This was reported in our February 3,2000 Management Decision (IG report 99-24). In\naddition, the inventory of equipment and property has been completed for fiscal 2000.\n\x0c                                                            CORPORATION\n                                                                                                       Appendix B\n                                                            FOR N A T I O N A L\n\n\n\n\n DATE:                June 1 3,2000\n\n TO:\n\n FROM:\n\n SUBJECT:             Comments on Draft Report 00-38, Recommended Improvements to the\n                      Corporation\'s Internal Controls Fiscal Year 1999 - Management Letter\n\n\n\n  We reviewed the draft audit report containing suggestions for improving the Corporation\'s\n  internal contro!; We are pleased to note that two areas for improvement that appeared in the\n  1998 Management Letter, Performance Measures and Investments, are no longer considered\n  areas in which improvements are needed. Based on our preliminary review of the draft, of the\n  3 1 recommendations in the report, 2 1 are repeated from other OIG audits. For these suggestions,\n  the Corporation has already identified needed corrective actions and is in the process of\n  implementing them. We also provided extensive comments on these matters when the auditors\n  first provided the Corporation with its Notice of Findings and Recommendations after\n  completing the audit. Therefore, we will limit our comments to certain sections of the draft\n  report.\n  Grants Management\n\n  The Corporation responded to most of the recommendations in its response to the fiscal 1998\n  management letter and began corrective action at that time. We are pleased to note that findings\n  related to grant file systems indicated that the files were generally in order, all significant\n  documents were in the files, and only about 2% of the files were missing items. We believe this\n  is an acceptable error rate for this process. We will continue to review grant files to ensure that\n  they contain the proper documentation. We also agree with the recommendation related to\n  development of a grants administration database. Beginning the development process for a new\n  system is one of the Corporation\'s priorities for fiscal 2000. However, it must be recognized that\n  it will take several years to complete development and implement a new system.\n\n  The report states that about 47 percent of the DVSA grants reviewed were not awarded at least\n  33 days before the beginning of the grant period. However, the 33-day turnaround requirement\n  was an internal Corporation goal, which exceeded the OMB of 10 days. Therefore the\n  Corporation has revised its policy to state that ordinarily, grant awards should be made at least\n  10 days before the beginning of the grant period.\n\n\n\n\nNATIONAL SERVICE: GEllING THINGS DONE\n.~m\'Corps &am and Sene . - t m c a   . V a t i d Senior Sewice corps   B     1201 New York Avenue, 3.W. Washington, D.C. 20525\n                                                                             telephone: 202-606-5000 website: www.nationalsenice.org\n\x0c                                                                              Appendix B\nNational Service Trust\n\nWe were pleased to note that the Trust is no longer an area of material weakness. The WBRS\nsystem has contributed to improvement in Trust processing and, as recommended, we are\ncontinually examining the effectiveness of that system.\n\nWe do note that the draft report contains the same error related to processing timefrarnes that was\ncontained in the fiscal 1998 management letter. As we have previously stated. the "requested\ndate" is a date identified by an external institution and is not related to the Corporation\'s\nprocessing time. The Corporation\'s "Guidelines and Uses for the AmeriCorps Education\nAward" states the Corporation\'s processing goal is "Within three weeks of the Trust receiving a\nproperly completed voucher, the institution will be mailed a check.. ." This benchmark allows\ntwo weeks for the Trust to determine that the payment is proper and process the voucher and\nanother week for the processing cycle with Treasury to be completed.\n\nContent of Annual Reports\n\nThree of the four recommendations in this area are repeat recommendations from the fiscal 1998\nmanagement letter. The Corporation made its management decision on those recommendations\nand those decisions have not changed. The fourth recommendation suggests that the Corporation\nassess the benefits of reporting under Federal Accounting Standards Advisory Board (FASAB)\naccounting standards rather than under generally accepted accounting principles (GAAP) which\nare established by the Financial Accounting Standards Board (FASB). As we have discussed\nwith the auditors, the Corporation is required by law to prepare its financial statements under\nGAAP. In October 1999 (fiscal 2000), FASB recognized FASAB as the body that promulgates\nGAAP for Federal reporting entities. The Corporation is awaiting FASAB and OMB guidance\n(which will apply to all Federal government corporations) before it revises its reporting model.\n\nRevenue from Reimbursable Agreements\n\nThe Corporation responded to the recommendation in this area in the fiscal 1998 management\nletter and our decision has not changed. We believe controls are adequate to ensure timely\ndeposits and recording of cash receipts. The auditors found exceptions to the five-day timeframe\nin 9 of 45 instances. However, we cannot tell from the finding how many days late the deposits\nwere or if the deposit was received over a holiday period. Without that information, we cannot\ndetermine whether the incidents constituted significant delays that suggest we need to reconsider\nour controls or were just isolated instances that happen in the normal course of business.\n\nFund Balance with Treasury\n\nThe Corporation agrees that a staff member made an error preparing the SF-224 and the\nCorporation will require enhanced supervisory review of the report prior to its submission.\n\nInformation Technology\n\nThe Corporation responded to many of these recommendations when it received the Notices of\nFindings and Recommendations. One of the recommendations, suggesting that the Corporation\n\x0c                                                                            Appendix B\ndevelop a production control log was also included in the fiscal 1998 management letter, issued\nin May 1999. Our response to that report stated\n\n        The Corporation does not need a separate production control log with\n        Momentum in place. With the implementation of Momentum a\n        production schedule has been established and a log is maintained by the\n        operations group at the Department of the Interior/National Business\n        Center\n\nThe Corporation considers this recommendation closed. Another recommendation suggested\nthat the Corporation amend the terms of the agreement with NBC to request a cliedserver SAS\n70 report. The Corporation has requested that NBC provide it with a SAS 70 report by\nDecember 3 1,2000. The report is also to include a disaster recovery plan and backup procedures\nrelated to NBC operations.\n\nProperty and Equipment\n\nAs we reported in the response to the Notice of Finding and Recommendation, the Corporation\ndid conduct a property inventory in FY 1999. In addition, we have put policies and procedures in\nplace that require an annual inventory of property and equipment. The policy was signed August\n5, 1999. This was reported in our February 3,2000 Management Decision (IG report 99-24). In\naddition, the inventory of equipment and property has been completed for fiscal 2000.\n\x0c'